Grand Auto Theft: 3m DIRT 3 Keys Nicked

Share this:

News that an eyebrow-raising 3 million Steam activation codes for natty racing title DIRT 3 had been leaked online broke earlier today, and now has an official oh-dear air to it as a result of confirmation from AMD that, yes, the codes were intended for vouchers that shipped with their Radeon graphics cards and yes, a database file containing them was purloined by bad eggs. I’m sure no-one at AMD or DIRT 3 publisher Codemasters is terribly calm right now, but at least it doesn’t appear to be the case that either of their sites or servers were directly hacked.
AMD reckons that “These activation keys were hosted on a third party fulfillment agency website, www.AMD4u.com, and did not reside on AMD’s website. Neither the AMD nor Codemasters servers were involved.” All three groups, plus Steam, are apparently teaming up for some kind of Oh Jesus Christ We Need To Stop This operation, and in the meantime AMD warn that people with valid vouchers might be in for “a short delay.”

Three million! Cripes. That’s the kind of sales figure many games would kill for. And now out there for free. However, I am quite sure it’s going to prove possible to deactivate the codes in question and, no doubt, ban the accounts of anyone who used them. Oh, second decade of the 21st century: you are a strange animal.

66 Comments

Ha, but seriously… to everyone freaking out about the potential collateral damage to their Steam account: I don’t think you have much to worry about. Steam isn’t going to ban thousands of accounts and lose thousands upon thousands of sales over this. Right now, they’re wagging their collective finger at the people who got away with it, and removing the game from the accounts of those who e-mailed Steam support while simultaneously shitting themselves in fear. Honestly, I don’t condone the mass pirating, but it pretty much is AMD and Codemasters’ fault for making the files so easily accessible.

WOW no one here knows how the actual users obtain their LEGIT codes ( i mean the people like me who bought a card).

1. buy card
2.register card on xfx.com
3.make sure you register the card with the code you recieved on the back of the do not disturb door hanger
4.get the steam activation code back from XFX ( or AMD if thats what it was i don’t remember it has been months since i did this)
5. activate and download your game via steam

so easy answer: any codes not given out to registered card owners get banned

This really sucks, I bought a card from amd ( which is my personal favorite anyway ) and still can’t get dirt 3 to run. These jerks screwed the ligit buyers. My card will be obsolete and I’ll never get to play the game :(

That seems to be the easiest, maybe require the video card’s serial number or something instead of the code. The problem they have is that the list includes all the valid keys, which has to be hard to sift through without just invalidating them all and using a different method to grant the game. The promo has been out for awhile, there are a lot of people with legitimate copies out there that will be pretty pissed off to lose the game, and will cause an internet meltdown if they start closing Steam accounts over it.

But there will still be legitimate users affected. The only way I can see to do this is to deactivate all the codes, then re-send new ones to everyone who purchased said cards. They’d have to go through the retailers though, which would be tricky.

hey xian, why better you don’t deactivate your account? there’s a lot of inocent people and even they know these serial are stoled, they don’t deserve valve banning their accounts and loosing these games that they worked hard to have their games registered “as should be”, it’s a lot of money we’re talking about!

As these keys were part of a legitamite give away (Before they were compromised), there’s also people who legitamitely got the keys (before they were compromised). Banning them would be grossly unfair.

You simply have to write a basic program that can divide all those key entries (with a bit of handy string manipulation) and then call a function within STEAM or their database to identify whether or not the key has been used.

It’s more the issue with dealing with users that go to try and validate their copy and then it turns out that they’re key got redeemed from the leaked list.

Also, it’s highly unlikely that STEAM will start banning accounts. No doubt alot of the people who redeemed those codes were paying customers with games on their accounts that were paid for legitimately. If anything, considering they have the leaked list, they will simply remove the game from the account in question.

But then again, there were a few people that had keys from that list and redeemed it legitimately through a voucher as opposed to the text file on the internet. So, I have no clue how this is ultimately going to pan out.

Frankly if you buy ‘Steam keys’ from anywhere other than reputable sites, you DESERVE that…

It’s easy tho – they disable all the codes , games will become unplayable for everyone (legit or otherwise) and then they send out new codes via the original mechanism (to legal customers) which they enter and ‘VIOLA!”

Well say someone wins a free copy of a game (that uses steam) and they already own said game. They are often given a steam key which they could turn around and sell. I wouldn’t say you deserve sad times for buying a steam key from someone.

“the “hack” was simply going to link to amd4u.com which gave you access to 3 SQL files filled with keys.”

The files in question now taken down, naturally. If this is indeed how the codes were compromised, it doesn’t really qualify as hacking. It qualifies as a company failing miserably to protect £90 million worth of codes. Methinks AMD won’t be using that particular third party again in a hurry.

This is *NOT* SQL injection, this is plaintext SQLite files being placed in a publicly accessible web server directory ready for download by anyone who happened to append “/sql” to the URL in their browser’s address bar. This kind of thing would have been an embarrassment in 2001, in 2011 it’s unbelievable.

The reason my mind didn’t even doubt it was legit was for the reason that the address was so simple and basic and, I dunno.. O.o I was told it was just a promotional thing but I didn’t take the time to see how many codes there actually was to conclude the bullshitism. I just scrolled down a bit and picked one as quick as I could cause I thought they’d run out quick and it was just a “small” thing. It wasn’t till’ someone with half a brain pointed out to me that it seems fishy that I thought about it…

Why would there be something like that stored there?
I don’t quit understand and I own an SMF forum and know some basics about web design and databases.
I still don’t get it. Still, shame on me..

If this is the case, the person who took the keys might have a very real case for arguing that they were posted by the company in a public place, it was not theft at all.

In fact I’m pretty damn sure by most countries laws this would fail to constitute as theft, it’s the equivalent of throwing money out of a window into the street and they trying to claim those who picked it up were thieves.

Browsers can eventually see all files put on the web. So if you have a file you don’t want people to access directly and download, you can put this place outside of the visible directory, and your web application can still access then, but not the general public.

This is a big no-no. It takes another error somewhere, a minor one, for people to figure out secrets.sqlite exist and download it. It don’t even need to be a software error, sometimes hardware suffer glitches, that could result on a message error like “I can’t open /var/www/sql/secrets.sqlite, because is in read only mode device”, and BANG, the crackers or any curious know about your file and have access to it.

If game companies don’t want to suffere this type of error, the solution is easy: hire people with experience. Experience matters.

Somewhat hoping they won’t be banning accounts with these keys since I’m one of them. Given the amount of sites that do key giveaways I didn’t bat an eyelid when I was linked a list of 1000 Dirt 3 keys (It does seem the number grows in the telling of the tale, I’ve heard ranges from 250,000 to 1.2million to as high as 3 million. Which the 3 million seems way off since as you pointed out that’s sales figures most games would die for. Seems odd to just give that many away)

Messaged Steam Support yesterday once I heard the keys weren’t meant to be given away, seems some people are seeing the game disappear from their library but up to now all I have is a “We are investigating this issue further. As soon as we have more information, we will update your ticket.” response. They’re free to remove the game from my library but they can sod off if they think they can ban folks accounts over AMD’s gaf.

This happened with Metro 2033 a while back, and King’s Bounty was given away for free accidentally, and Crasher, all on Steam. Nobody got banned. In the case of Crasher, the games were removed, but Metro 2033 and King’s Bounty weren’t, since it was impossible to tell. who got the keys legit.

They have no way of being able to know whether or not you obtained your key through this method, so your account is safe.

keys8.txt when it was accessible had keys 1,750,001-2,000,000, so 2 million sounds like a likely number to me, but maybe the SQL file had its own set of unique keys, in which case, 3 million keys could be accurate.

Now that I realize it, they had the keys in two different publicly accessible locations, /sql/ and /keys/. No one who has used these keys deserve to have their Steam accounts banned. Hopefully, the third party provider kept a log of all legitimate keys used so Valve can quickly and swiftly remove the unauthorized keys from user’s steam accounts.

I got two keys with my video card I purchased recently. I used one for myself (only to find that I suck balls at racing sims) and still have the other. I couldn’t even get a cheap game in trade for it before, no doubt it will be impossible now. I’ll just gift it to someone on my friends list.

Zoinks!
Seems like they’re going to have to cancel all the keys and then provide a way for all the legitimate recipients to get a new one. It turns a nice give-away into a palava for everyone involved.

I’m going to be honest, I thought it was legit because I didn’t think keys would be stored in such plain view… I was linked just saying they do free give-aways and I’ve heard of them already doing that before…

I also contacted steam support to explain the situation.
The game is not installed.

I was directed to the site. Now I found out about this. My reaction? FUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU-. The same story as Dean B. I hope they only delete the game. Would be better then banning accounts.

Strange thing for me was that I did a Steam game trade with a chap last week who bought an AMD card, which had a legitimate key – sent me the scan of the voucher and everything, which worked perfectly.

If action is taken I sure as hell hope legitimately registered keys (via email, then Steam) aren’t grouped into the same pile as those nicked.

Otherwise hooboy I’ll be fuming to have my account I’ve had since beta suspended. Makes me irk thinking about it.

I am going to be honest: one of my friends on msn gave me this list of codes in a hurry and told me to be very quick with using one of those codes because then i would have dirt 3 for free. I did what he said and yes i got dirt 3 working. Now a few hours later i have discovered what this really means and i am affraid of being banned. I dont dare to contact steam because then they know that i have one of those illigal copies.
I don’t know what to do now, the best would be to see dirt 3 just dissapear from my game list, just like what happened to some other people. I wish this would have never happened.
Can someone tell me what to do?!

-Immediately block all new Dirt 3 activations
-If there is already a lot of damage done: ban all registrations since the hack was done
-Show a message to the user when someone activates with one of these numbers
-Ask them to send their key + gpu number and then send them a new key

Bah, the hassle. Imagine a service desk having to handle hundreds of thousands of telephones: the costs are massive.

Yep, I’m in the same boat. I have asked steam to remove the game from my account but I feel like an idiot. The person tried telling me it was legit after the fact but I looked and found it in the files online. I won’t be talking to that person again.

Register all 3 million keys in Steam. And ask for a refund.
Thats like 180m dollars. Woot.

Thats one thing humans do better. A machine would give you 180 millions in a refund, and don’t mind once, if is programmed to refund for games given some set conditions. But a human will probably raise a eyebrow at the number of zeroes. Then laugh. Then fall to the ground unconscious. Then maybe ask his boss for instructions. Then call the police.

I just bought a new graphics card which came with one of these keys – tried to register it Tuesday night and was informed they were having a problem and to either scan or take a picture of the card and send it to them. Did that, got a new key back today, now activated on Steam. Voila. Now just got to find enough disk space for it. 11GB!